CRADA report from UL and US VA: Procurement as driver of medical device cybersecurity

A new report issued by the US Department of Veterans Affairs and UL suggests that along with regulation, procurement policies at healthcare purchasing organizations will play an increasingly significant role in driving medical device cybersecurity risk management efforts.

The recent Cooperative Research and Development Agreement (CRADA) report examines cybersecurity risks posed by connected medical devices, and how device manufacturers and healthcare providers can better collaborate to effectively manage these risks.

The report takes into account various moving parts in the complex issue of managing cybersecurity risk within the Internet of Medical Things (IoMT), including the potential for healthcare providers and systems to establish more rigorous cyber standards and requirements as part of their connected medical device procurement processes. While device manufacturers and software developers prepare for compliance to evolving cybersecurity-related regulations from US FDA and other market regulators, pressure from healthcare delivery organizations (HDOs) and general purchasing organizations (GPOs) to demonstrate proper cybersecurity risk mitigation measures and controls will also increase for these companies.

VA oversees a healthcare network serving nine million patients in the US, and entered into the CRADA with UL in order to identify methods for more effective lifecycle management of connected devices while minimizing cyber risks and vulnerabilities.

Using UL 2900 as part of VA’s procurement process

During the two-year CRADA period, VA utilized UL’s UL 2900 set of cybersecurity standards for network-connected medical devices for both internal review and management of the department’s cyber-related procurement processes and procedures; and for evaluation of devices and software under consideration for procurement to determine adequacy of these products’ cybersecurity controls in the context of connected medical environments.

VA assessed an infusion pump from ICU Medical that had obtained certification to UL 2900-2-1, and found that procurement processes were actually accelerated. VA concluded that implementing UL 2900 provided benefits such as:

• VA’s pre-procurement risk, security and product assessment processes improved;
• Network security controls and product security controls would achieve stronger balance via adoption of UL 2900;
• The UL 2900-2-1 standard could facilitate deployment by HDOs of mission-critical functionalities on state-of-the-art medical device technologies without having to degrade or alter those functionalities;
• Adding UL 2900 to HDOs’ device lifecycle management practices would boost control over cybersecurity issues and allow these entities to focus resources on the most crucial safety and security threats to patients.

Potential implications for HDOs and manufacturers

Given VA’s role as one of the largest healthcare providers and medical device purchasing entities in the US, the CRADA conclusions will likely drive HDOs to more carefully consider utilizing UL 2900 and other pertinent standards as cybersecurity becomes a bigger factor in organizations’ device procurement approaches. For manufacturers of connected medical devices and technologies, certification to such standards not only helps address cybersecurity regulatory requirements, but also meet procurers’ criteria for purchasing consideration.

Emergo by UL will provide additional analysis of the UL-VA CRADA report in the coming weeks.

Additional medical device cybersecurity resources from Emergo by UL:

• Cyber regulatory support
• Secure development lifecycle management support
• Webinar: US FDA premarket cybersecurity guidance for medical devices